Skip to main content

Posts

Showing posts from May, 2012

Linux auditing using Nessus

Nessus can scan a range of Linux flavours. As of writing these are: CentOS Debian Fedora Gentoo Red Hat Slackware SuSE Ubuntu There are two types of scans Nessus can run against Linux hosts:  Patch audit Compliance audit Patch audit - the plugin families are "[distro name] Local Security Checks". Nessus will audit targets and report on missing security patches based on advisories  released  by respective distributions. Nessus requires credentials in order to preform this type of scan as this are local checks. Tenable recommends that root level  credentials are used, though  I have been able to successfully scan Linux hosts with a "standard" account.  This however depends on distribution and how hardened it is. On Red Hat distros Nessus executes the following commands which work with non-root accounts: $rpm -qa $uname -a Nessus then compares its database with versions of kernel and installed packages.    Compliance audit  - Ten

Securing OSPF

There are multiple ways to secure OSPF.  The essential one is authentication. By default there isn't any validation to assure legitimacy of an OSPF topology update. Basically an attacker or a bored employee could install a physical router and become a member of a routing system. Alternately a tool such as LOKI ( http://www.ernw.de/content/e6/e180/index_eng.html ) could be used. LOKI provides a GUI and is very simple to use, I however found it a bit buggy. More on that can be found in my Attacking OSPF - route injection post. Other tools that could be used include:  SCAPY  http://www.secdev.org/projects/scapy/  - very advanced and fairly complicated packet generation tool, to craft OSPF packets it requires OSPF extension TCPREPLAY -  http://tcpreplay.synfin.net/  - a legitimate OSPF adjacency set up and database exchange could be captured, modified and replayed (I had limited success with this technique) On a Cisco router we can use the following to secure our OSPF routi

Attacking OSPF - route injection

LOKI and author's Black Hat presentation can be downloa ded here:   http://www.ernw.de/content/e6/e180/index_eng.html   Falsifying routing information can have disastrous consequences to network stability. For example an attacker could reroute traffic through a monitoring station and capture traffic for later analysis. An attacker could also reroute traffic to a black hole or reroute a 10 Gig transit link traffic towards a 1 GB link causing a Denial of Service (DoS) condition.  Both network topology and scenario presented in this post are extremely simplistic but should be sufficient to present potential implications. Our topology: R1's routing table looks as follows: R1#show ip route C    20.0.0.0/8 is directly connected, FastEthernet1/0      172.16.0.0/24 is subnetted, 1 subnets C       172.16.0.0 is directly connected, FastEthernet0/0 O    192.168.5.0/24 [110/2] via 172.16.0.1, 00:00:01, FastEthernet0/0      10.0.0.0/32 is subnetted, 1 subnets C       10.0.

Auditing Cisco configuration - startup-config vs running-config

There are two types of config files in Cisco switches and routers. They are "startup" and "running" configs.  Startup config - is a configuration file stored in NVRAM that a device will use to configure itself upon reload. It can be viewed by running "show startup-config" command.  Running config - is a currently used configuration stored in volatile memory. It can be viewed by running "show running-config" command. When an admin logs in to a switch and makes configuration changes they are applied to running config. In order for them to be retained after switch reload, those changes must be committed to startup config by running "copy running-config startup-config" or simply "wr". If changes are not committed they will be lost upon reboot.  Output of "show running-config" at the very beginning includes information regarding when last changes were made and when they were last committed. In this example we ca

Auditing Cisco configuration - CIS RAT

CIS RAT (Centre for Internet Security - Router Assessment Tool) is a free Perl tool that audits Cisco config files against CIS benchmarks, it creates an HTML report and shows where your config meets or fails CIS benchmark.  We can audit against benchmark level 1 and 2. The tool is supported on both Linux and Windows (though getting it to work on Windows required a bit of source code tweaking).  RAT can audit configuration of the following devices: IOS ASA PIX FWSM RAT can be downloaded here:  http://benchmarks.cisecurity.org/en-us/?route=downloads.show.single.rat.unix.252 Installation on Windows requires ActiveState Perl to be installed. Detailed installation instruction can be found in "rat\etc\install.win32.txt" upon extraction.  Upon installing RAT I had to edit "rat.pl" and change the following (this shouldn't be required so it may work in your case) line 669: to point to the correct directory use lib 'c:\rat\lib';. lines 7